Comments on: NRF + PCI = CIO Job Security http://storefrontbacktalk.com/securityfraud/nrf-pci-cio-job-security/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Wed, 08 Feb 2012 03:42:56 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Mark Bower http://storefrontbacktalk.com/securityfraud/nrf-pci-cio-job-security/comment-page-1/#comment-64348 Mark Bower Fri, 15 Jan 2010 19:58:27 +0000 http://www.storefrontbacktalk.com/?p=4545#comment-64348 A nice summary. NRF was certainly buzzing around true End-to-end encryption and tokenization. We're not taking point to point. End-to-End is from swipe to acquirer, and/or swipe to PAN dependent merchant system - something only possible with new approaches I've mentioned here in the past. What was interesting to me was seeing the contrast in the efforts of various approaches being tried. Some merchants we met for the first time had been struggling for 2 years already or more trying to achieve this and still stuck in pilot with older style tokenization and legacy encryption which struggles when it comes to the change impact in legacy hardware/software and when taking into account critical back office functions like velocity checking and fraud investigations, e-discovery etc. When I described how we'd already taken Tier 1's through this to PCI compliance in a fraction of that time with Format Preserving Encryption there was a lot of excitement - these new approaches avoid exactly the change impact they were struggling with in integrating encryption and tokenization into the complex merchant legacy environment and processes. Another highlight for me was how many merchants really do see the need to go well beyond PCI DSS which as you note is falling behind the fast path merchants are heading in new areas like mobility - what a hot topic at NRF! Merchants not only want to explore new payments acceptance like mobile, but want to also cover employee data, partner communications, and other privacy regulated data in a single swoop. Of course, our conversations drift to those areas as we solve those challenges too with our overall data protection platform - but it was striking nonetheless. The concern being what's the point of investing several million in PCI compliance and focus just on credit card data and and leaving equally sensitive data at risk - SSN's, Tax Data, competitive strategy information, HR data on vast numbers of past and present employees in a very high staff turnover business. So from uplifting show at NRF I see 2010 being one of not only E2E and Tokenization in the payments side, but solving the big picture - sensitive data organization wide. That's where the real ROI will be for merchants in data protection investments. No point being the front page breach news if your systems are compromised and all your employee data is exposed - its the same reputation and brand damage impact. A nice summary. NRF was certainly buzzing around true End-to-end encryption and tokenization. We’re not taking point to point. End-to-End is from swipe to acquirer, and/or swipe to PAN dependent merchant system – something only possible with new approaches I’ve mentioned here in the past.

What was interesting to me was seeing the contrast in the efforts of various approaches being tried. Some merchants we met for the first time had been struggling for 2 years already or more trying to achieve this and still stuck in pilot with older style tokenization and legacy encryption which struggles when it comes to the change impact in legacy hardware/software and when taking into account critical back office functions like velocity checking and fraud investigations, e-discovery etc. When I described how we’d already taken Tier 1′s through this to PCI compliance in a fraction of that time with Format Preserving Encryption there was a lot of excitement – these new approaches avoid exactly the change impact they were struggling with in integrating encryption and tokenization into the complex merchant legacy environment and processes.

Another highlight for me was how many merchants really do see the need to go well beyond PCI DSS which as you note is falling behind the fast path merchants are heading in new areas like mobility – what a hot topic at NRF! Merchants not only want to explore new payments acceptance like mobile, but want to also cover employee data, partner communications, and other privacy regulated data in a single swoop. Of course, our conversations drift to those areas as we solve those challenges too with our overall data protection platform – but it was striking nonetheless. The concern being what’s the point of investing several million in PCI compliance and focus just on credit card data and and leaving equally sensitive data at risk – SSN’s, Tax Data, competitive strategy information, HR data on vast numbers of past and present employees in a very high staff turnover business.

So from uplifting show at NRF I see 2010 being one of not only E2E and Tokenization in the payments side, but solving the big picture – sensitive data organization wide. That’s where the real ROI will be for merchants in data protection investments. No point being the front page breach news if your systems are compromised and all your employee data is exposed – its the same reputation and brand damage impact.

]]>